1
Streamline PCI Compliance in a Diverse Hospital Environment
Session #212, February 14, 2019
Philip Napier, Director, Enterprise Information Security, Bon Secours Health System
Jon Bonham, Principal, Coalfire
2
Philip Napier and Jon Bonham
Have no real or apparent conflicts of interest to report.
Conflict of Interest
3
• Learning Objectives
• PCI DSS – ROC and SAQ…Requirements
• PCI Responsibility
• Bon Secours Health System PCI Journey
• Health Systems…Unique Merchants
• Skeletons
• M&A
• Where to Start/Next Steps
• Best Practices
Agenda
4
• Evaluate current payment security program status
• Assess high-level gaps for remediation
• Identify commonly overlooked areas for process
improvement
• Integrate all merchants in health system for
attestation
Learning Objectives
5
What is PCI?
Payment Card Industry
• Founded by card brands to have a single program instead of many
• DSS – Data Security Standard
• Card brands enforce fines and determine reporting levels.
Visa
6 million Level 1 merchant. (ROC)
1 million Level 2 merchant. (SAQ)
20,000 – 1 million e-commerce Level 3 merchant. (SAQ)
1- 20,000 e-commerce level 4 merchant. (SAQ)
• Acquiring banks enforce fines and collect attestation
6
PCI compliance – ROC vs SAQ
DSS – Data Security Standard
• 12 main requirements
• 370 sub-requirements
• ROC and SAQ have the same requirements
• All or nothing
• SAQ Types
A, A-EP, B, B-IP, C, C-VT, D, P2PE
Depends on how you process card payments
More risk = more requirements
7
Who owns PCI responsibility?
IT dept owns PCI unless you look at:
• Why are we accepting credit card payments?
• Who has the business need?
• Who signed the contracts with the banks?
• Who agreed to be PCI compliant at all times?
In which case, it might be the Treasury dept
8
• Disconnect between operational and governance
(circumventing finance/Treasury and going straight to IT)
• Lack of alignment between policy compliance approach and
operational compliance
• Project management and implementation challenges
• No committee – Treasury and security – review contracts prior to
engaging vendors - this was in the hands of the legal team
Bon Secours PCI Journey - Challenges
9
Health Systems…unique merchants
Retail merchants have one business need/one card processing
model
Health systems have a different card data processing model
– Admitting
– Emergency Department (WoW)
– Outpatient
– Ambulatory
– Pharmacy
– Cafeteria
– Gift shop
– Call center
– Urgent care clinics
– Surgical centers
– Parking
– Lactation clinics
– Catering
– Foundations
10
Where are the skeletons buried?
Most common in hospitals…
• Number of transactions = merchant type
Cafeteria makes up 80% of transactions
Parking can push transaction volumes
• Flat networks typing payments into general workstations
Typing payments into online processors
• Storing payment card data including CVV code
Written down in pharmacies for recurring subscriptions
Mailed or faxed in forms or over the phone
email
11
Where are the skeletons buried?
• VoIP
Recording of calls in call centers
Any office/department that takes card payments using a VoIP
phone system
PCI Council Guidance
Industry Guidance on Accepting Telephone Payments Securely
12
Where are the skeletons buried?
• Current PCI Compliance Status and Historic Approach to
Compliance
Attestation Approach (SAQ vs ROC)
Policy approach or internal guidance
Business Partners and Existing Contracts with Vendors who
process credit card transactions
13
Mergers & Acquisitions - PCI
• What is the compliance status of new acquisitions?
• When does PCI coordinator find out about a new
acquisition?
• What is the best plan working with M&A team?
• Can it affect pricing or negotiations?
• What to do when the new organization comes on
board?
14
• Get a list of all merchant IDs and identify depts – who the IDs
belong to and how they’re processing card payments
• Visit and interview the people actually processing card payments
to confirm that assumptions are correct, and identify other issues
that were not uncovered
- How are they taking card payments? Are they storing CC data?
• Make business decisions about changes
- Work with QSA/vendors/business units to develop solutions that
are PCI compliant and meet business needs of the health system
• Make the changes, sell to management, prove compliance
Bon Secours PCI Journey - Solution
15
Where to start
You don’t know what you don’t know.
• Walk and Talk
• Visit each area to understand what they do.
How do they process card payments and why (understand the
business need)
• Find the high-level gaps
Storing payment card data
Flat networks
email
• Create set of similar processes
• Create a plan to fix, replace and standardize.
16
• There’s always ‘something else’ - new guidance in PCI on VoIP –
Nov 2018
• Can’t get compliant from sitting behind a desk…must talk with
other depts
• M&A lessons – close integration w/Treasury & risk management
program
• Strong relationship with merchant processor/bank…this is very
important – business unit communications
Bon Secours PCI Journey - Results
17
Next Steps
• List the gaps, needs and issues
• Determine the best way to fix:
Policies and procedures
Changes to the way card payments are processed
Procedures
Hardware and software
Third-party service providers
• Work through the issues with vendors before signing contracts. Use your
PCI team and/or QSA
• Get to work
18
Best Practices - Attesting to Compliance
• ROC or SAQ - partner with vendors that have enterprise and
hospital experience.
• Create sets/groupings for common methods.
Each method should be in a set even if it’s the only one.
• Complete an SAQ for each set/grouping
Allows the answers to be focused on the method in question
Things aren’t missed
• Roll up SAQs into a single SAQ for submission
19
Best Practices - Attesting to Compliance
If you aren’t compliant…
• Document a plan with timelines
• Engage a QSA to advise
• Work with the bank to avoid fines
• Make your vendors do their part
They should be part of the solution, not a bystander.
20
Questions
Philip Napier, Director, Enterprise Information Security
Bon Secours Health System
https://www.linkedin.com/in/philnapier
philip_napier@bshsi.org
Jon Bonham, Principal, Coalfire
Jon.Bonham@Coalfire.com
https://www.linkedin.com/in/jon-bonham-cisa-qsa-549a1033/